Rutgers University Computer Hacker Ordered to Pay $8.6 Million

A New Jersey man was ordered to pay $8.6 million in restitution and will spend six months under house arrest for launching a cyberattack on a state university that crippled communication between staff, faculty and students, prosecutors announced Friday.

Paras Jha, 22, of Fanwood, New Jersey, previously pleaded guilty of violating the Computer Fraud & Abuse Act when he attempted to attack the Rutgers University computer network, U.S Attorney Craig Carpenito said in a press release.

Jha was also sentenced to five years of supervised release and ordered him to perform 2,500 hours of community service.

According to court documents, between November 2014 and September 2016, Jha, a former Rutgers University computer science student, allegedly executed a series of “distributed denial of service” (DDOS) attacks on the networks of the university.

DDOS attacks occur when multiple computers acting in unison flood the Internet connection of a targeted computer or computers.

Jha’s attacks allegedly shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments, a press release from prosecutors says.

On Dec. 8, 2017, Jha, Josiah White, 21, of Washington, Pennsylvania, and Dalton Norman, 22, of Metairie, Louisiana, pleaded guilty to criminal informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act.

In the summer and fall of 2016, White, Jha, and Norman created a powerful botnet – Marai Botnet — a collection of computers infected with malicious software without the knowledge or permission of the computers’ owners, prosecutors say.

The Mirai Botnet, targeted “Internet of Things” devices – non-traditional computing devices connected to the Internet, including wireless cameras, routers and digital video recorders, according to prosecutors, who added the group attempted to discover both known and undisclosed vulnerabilities that allowed them to attain administrative access to victim devices for the purpose of forcing the devices to participate in the Mirai Botnet.

Prosecutors say that the group’s involvement with the original Mirai variant of the botnet ended in 2016, when Jha posted the source code for Mirai on a criminal forum. However, since then, other criminal actors have used Mirai variants in a variety of additional attacks.

Between December 2016 to February 2017, Jha and Norman allgedly infected more than 100,000 primarily U.S.-based Internet-connected computing devices with malicious software. That malware caused the hijacked home Internet routers and other devices to form a powerful botnet, prosecutors said.

The men were accused of using the compromised devices as a network of proxies and rerouting Internet traffic. The targeted devices were used primarily in advertising fraud, including “clickfraud,” which is a type of Internet-based scheme that utilizes “clicks,” or the accessing of URLs and similar web content, for the purpose of artificially generating revenue, prosecutors say.

On Sept. 18, 2018, all three men were sentenced in federal court in Alaska to serve a five-year period of probation, 2,500 hours of community service, pay restitution in the amount of $127,000 and voluntarily give up cryptocurrency seized during the course of the investigation, prosecutors say.